Among different types of medical audits, the auditor’s role remains the same: review healthcare providers’ policies and procedures to ensure compliance with federal, state, and payer regulations. But questions arise due to the assortment of auditing methodologies and the many requirements that define compliant billing activity.
To help fill in the gaps of medical chart review knowledge, here are answers to the most common medical auditing questions asked by both seasoned medical coders accustomed to conducting audits and students preparing for the certification exam. This page is a resource to provide a better understanding of the healthcare auditing landscape.
A medical chart review, also referred to as a chart audit, is an examination of medical records to determine what procedures or services were performed. From this, the auditor determines if the documentation is compliant, if the claim is coded correctly, and if all charges are captured.
A medical audit can reveal unexpected errors hidden in the medical record, such as services not provided, services billed under the wrong provider, services not ordered by a licensed professional, wrong procedures and diagnoses reported, and other coding and billing errors.
The American Medical Association (AMA) defines medical necessity as “health care services or products that a prudent physician would provide to a patient for the purpose of preventing, diagnosing, or treating an illness, injury, disease, or its symptoms in a manner that is: (a) in accordance with generally accepted standards of medical practice; (b) clinically appropriate in terms of type, frequency, extent, site, and duration; and (c) not primarily for the economic benefit of the health plans and purchasers or for the convenience of the patient, treating physician, or other health care provider.”
The Centers for Medicare & Medicaid Services (CMS) relies on the Social Security Act (Title XVIII of the Social Security Act, Section 1862 [a] [1] [a]) for its understanding of “medical necessity.” That part of the law states “no payment may be made under [Medicare] part A or part B for any expenses incurred for items or services which … are not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.” Other payers may take a similar approach.
If Medicare or other payers determine services were medically unnecessary after payment was issued, they will demand a refund of the overpayment with interest. Should payers find a pattern of overpayment, the physician may face monetary penalties, exclusion from the Medicare/payer program, and even criminal prosecution.
Diagnosis codes identify the medical necessity of services provided by describing the circumstances of the patient’s condition. Most payers use claim edits or automatic denial/review commands within their computer software to review claims. These edits ensure that payment is made for specific procedure codes when provided to a patient with a specific diagnosis code or range of ICD-10-CM codes.
CMS developed Medically Unlikely Edits (MUEs) to help reduce the paid claims error rate for Medicare Part B claims. MUEs define the maximum units of service that a provider would report, under most circumstances, for a single beneficiary, on a single DOS, for a specific CPT ® or HCPCS Level II code.
A medical billing audit, sometimes referred to as a revenue cycle management (RCM) audit, covers broader areas than the medical coding audit. Designed to optimize RCM performance, the billing audit includes a medical record audit, as well as an evaluation of the entire billing cycle — from copay collection processes and insurance verification to claim submissions, payment posting, follow up, and denials and appeals processes.
Relying on both internal and external audits is the gold standard in the highly regulated, highly scrutinized healthcare industry.
A strong internal chart auditing program will detect insufficient documentation and improper coding, making it easier for healthcare organizations to resolve areas of noncompliance and capture missed revenue. An external audit, on the other hand, delivers invaluable objectivity.
Whether a healthcare organization is hospice, a home health agency, a solo physician practice, or a large university medical center, it can benefit from another set of eyes to help see what may be broken. Without auditing services from an objective partner — experts who live and breathe healthcare auditing — a healthcare organization is consigning their business to the status quo. And as third-party audits confirm, the status quo is likely to conceal risk.
Healthcare organizations commonly hold themselves to a minimum of 90 percent coding accuracy for most audit types. But when setting pass rate thresholds, it’s important to understand how to measure audits and the impact pass rates will have on the organization. For example, when discussing corporate integrity agreements (CIAs), the OIG states that “a full sample size is only required if the net financial error rate of the discovery sample equals or exceeds 5 percent.”
Auditing is the process of examining the medical record, verifying information, and gathering baseline information to identify risk areas. Monitoring is the ongoing process of reviewing coding practices and the adequacy of the documentation and code selection. Monitoring should be conducted regularly and include activities such as auditing, reviewing utilization patterns, reviewing computerized reports, and reviewing reimbursement. A monitoring system is usually implemented based on findings from the baseline audit.
A focused audit looks at one item, one type of service, one provider, or one coder. A random audit reviews medical records chosen by chance to determine a healthcare organization’s compliance and possible liabilities.
Before beginning an audit, the auditor will need to determine if they are going to complete a focused audit or a random audit. The decision helps to determine what will be audited, as well as the sample size.
A focused audit may concentrate on one type of service to determine compliance, such as new patient visits, established patient visits, consultations, or nursing home visits. If a healthcare organization employs nonphysician practitioners, it's a good idea to conduct an audit to verify compliance with incident-to rules.
Random audits make excellent baseline audits. They look at all possible services provided within a specific timeframe and often identify areas for potential education and future focused audits to determine the effectiveness of the education.
Types of healthcare audits, in addition to random audits and focused audits, include:
A statistically valid sample uses scientific sampling methods to ensure that audit results from the medical chart sample reflect all claims submitted to or processed by payers.
One type of statistical sampling is proportional sampling. The sample is built around high frequency items or items considered proportionally significant. This could, for example, involve frequently billed CPT ® or HCPCS Level II codes with the highest dollar charge.
Another statistical method of sampling is known as numerical sampling. The sample size is based on all possible services within a determined period. This type of sample lends itself to a random final selection. During a simple random selection, all items in the total sample have an equal chance of selection in the audit. Random number generators can be found on the internet to provide a random selection process.
An example of nonstatistical sampling, also called judgmental sampling, can be applied to a focused audit. The sample is based on unique services defined in the objective and scope. This type of sampling could be used if the audit is being performed to look only at high levels of service. For instance, only the level 4 and 5 evaluation and management (E/M) visits would be included in the sample, and the selection would be made from that sample.
The tools needed to perform a successful audit will depend on the type and scope of the audit. An array of healthcare auditing resources provides auditors with details needed to assess reporting accuracy.
Modifier 59 Distinct procedural service, for example, has long been under audit scrutiny, which is why medical coders should review coding guidelines and Medicare rules before using this modifier. Documentation in the medical record must satisfy criteria to use modifier 59 and other NCCI-associated modifiers to bypass an NCCI edit.
Some MACs provide specific information pertaining to documentation and coding guidelines that must be adhered to. Auditors should review the information for the relevant MAC on their website to become familiar with various policies. Medicaid policies are also important to review, especially if the organization provides services for family medicine, internal medicine, pediatrics, or obstetrics and gynecology.
Audits may identify missed charges and encourage the review and correction of denials. An audit’s revenue objectives involve examining coding practices for lost revenue due to the improper use of codes. Common issues causing revenue loss include:
Utilization review and data mining provide insight into billing patterns and can uncover areas of risk. Utilization review provides data about how frequently certain services are billed. A utilization pattern can be found from looking at the utilization review to evaluate coding patterns.
Federal contractors like to focus on frequency of improperly paid claims because, as of Feb. 12, 2024, False Claims Act penalties increased from $13,508- $27,018 per claim to $13,946-$27,894 per claim. To know whether a practice might throw up any red flags, auditors should check claims frequency against national frequency norms.
An auditor looks at your 25 most frequent services and compares them to Medicare utilization data. If, for example, the national average of a code is 5.5 percent of all services, and a practice uses it twice as often, the practice should prioritize a self-audit to review the service and verify that solid coding and documentation support the claims.
Data mining is a method that many payers use to compare billing frequencies of one provider against other providers working in the same medical specialty. Together with utilization review, data mining reveals if a provider bills outside of the normal statistical pattern.
Auditors can use these two methodologies to compare providers in any size practice or facility. In large facilities, this comparison can be used to identify high-risk areas. For example, a compliance or audit department may decide to audit providers that show a greater than 20 percent variance between their billing patterns and those of their peers.
Periodic audits ensure the medical record meets with federal and state regulations and serves its three primary purposes:
Proactively choosing to conduct an external audit, or even an internal audit, will allow an organization to identify problem areas and make corrections before a Recovery Audit Contractor (RAC), MAC, or the OIG requests an audit.
The medical record audit report should identify key findings and present the analysis, rationale, and recommendations in an easy-to-follow and easy-to-apply format.
Factors that raise red flags with federal healthcare programs and private payers could involve:
Overpayment disclosure, or self-disclosure, refers to reporting errors identified in an audit that have resulted in overpayments and/or amount to illegal billing activity. Disclosure gives providers an opportunity to avoid the costs and disruptions of litigation, advises the OIG.
But it’s not the auditor’s responsibility to identify an organization’s legal duty to disclose and refund an overpayment. As a general rule, all overpayments should be disclosed and refunded, but moral duty is not necessarily legal duty. The auditor that discovers errors associated with liability should recommend that the medical practice engage legal counsel for analysis of legal duty.
Comprehensive Error Rate Testing (CERT) is a CMS program conducted annually to measure improper payments in the Medicare Fee-for-Service (FFS) program. The U.S. Department of Health and Human Services (HHS) publishes the improper payment rate in the Agency Financial Report each November. CMS later publishes the Medicare Fee-for-Service (FFS) Improper Payments Report and Appendices, which provides specific error rates and improper payment rates for services and provider types.
CERT data is reported annually to alert federal agencies to prevalent claim errors. While this report focuses on claims submitted to CMS, error statistics can benefit physician practices by illuminating reporting errors that likely reflect claims submitted to private payers. It’s advisable for auditors and medical coders to review the annual CERT report.
Provider organizations should understand how CMS uses the information garnered from the CERT program. First, CMS uses providers’ data to “protect the Medicare Trust Fund by identifying errors and assessing error rates, at both the national and regional levels,” indicates Part B MAC CGS Medicare.
Second, through the CERT program, the government tracks error trends among provider types, codes, and services. These findings help CMS pinpoint issues raising the improper payment rate. The agency then uses this information to rein in outliers, rectify issues, and facilitate program integrity.
Lastly, CMS uses the information garnered from the report to measure how MACs perform. The CERT data helps to determine regional programming and education, including tools like the Targeted Probe and Educate (TPE) program and Comparative Billing Reports (CBRs) in a jurisdiction.
The OIG Work Plan lists active items such as audits, evaluations, and inspections that are planned or underway. These priority projects will be conducted by the OIG’s Office of Audit Services, Office of Evaluation and Inspections, Office of Investigations, and Office of Counsel to the Inspector General.
According to the OIG, factors considered in their plan are based on required mandatory OIG reviews, concerns raised by Congress, the Office of Management and Budget, HHS management, HHS challenges with management and performance, implemented OIG recommendations from earlier reviews, potential for positive impact, and work performed by oversight organizations.
The RAC program works through CMS, who hires contractors and pays them on a contingency fee basis. This means that RACs are paid a percentage of the money they recover, which gives them an incentive to rectify overpayments.
RACs are required to employ a variety of professionals to review claims, including nurses, therapists, certified medical coders, and physicians. Claims processing contractors have the responsibility of adjusting claims, managing offsets and refunds, and reporting the debt on financial statements. Recovery audit contractors can go back three years to review claims. Their main goal is to identify improper reimbursement.
FFS recovery auditors perform two types of reviews:
If the FFS recovery auditor identifies an improper payment, a letter is sent to the provider that includes the review results, decision, and rationale. The MAC will adjust the claim and send a demand letter to the provider for the overpayment.
If the provider agrees with the demand letter, they may submit payment, ask for a recoupment of future payments, or ask for an extended payment plan. If the provider disagrees with the demand letter, they may submit a discussion period request to the recovery auditor within 30 days from the date of the demand letter. Other options include submitting a rebuttal to the MAC within 15 days of the date of the demand letter or submitting a redetermination request to the MAC within 120 days from the date of the demand letter. This last option is the first level of appeal.
A compliance plan is a collection of steps that a provider, organization, or practice establishes to ensure adherence to federal and state regulations. All physician offices and healthcare facilities should solidify a compliance plan that outlines the process for coding and submitting accurate claims, as well as clearly defining what to do if mistakes are found.
The voluntary compliance program implemented by an organization demonstrates good-faith efforts to submit claims appropriately. It also tells employees that compliance is a priority.
While the scope of a compliance program will depend on the size and resources of the organization, the OIG has identified Seven Elements of a Successful Compliance Program in their Complete General Compliance Guidance PDF. These elements include:
An effective compliance plan should expand on these seven elements and include directions, standards, and policies for how each element will be handled.
If an area of noncompliance is found, detailed records of the incident should be documented with the date, name of the person who reported the issue, the person who initiated action on the issue, and any corrective action taken.
A corporate integrity agreement (CIA) is a document resulting from a civil settlement that outlines actions required of a healthcare company to maintain the privilege of participating in federal healthcare programs. The OIG plays a prominent role in negotiating, developing, and enforcing CIAs, which typically last five years.
Complying with the obligations in the CIA is enforced by the OIG, with failure to do so subject to monetary penalties. The OIG also can exclude a provider or organization from participating in federal healthcare programs. OIG publishes a list of the organizations and providers that have breached their CIAs and have been penalized as a result.
Under CIAs, providers must promptly notify the appropriate payer of all identified overpayments and must promptly repay the overpayment amount in a manner consistent with the payer's policies. In addition, providers are expected to develop and implement written policies and procedures to ensure that overpayments are identified, quantified, and repaid in accordance with the CMS overpayment rule and other applicable federal healthcare program requirements.
Although all identified overpayments should be refunded to the appropriate payer, a provider under a CIA does not need to report to OIG all identified overpayments at the time it reports such amounts to the payer. The provider must, however, report to OIG within 30 days all "reportable events" as defined by the CIA. A "reportable event" generally means anything that involves:
An IRO acts as a third-party medical review resource that provides objective, unbiased audits and reports. An auditor working as an IRO needs to understand the CIA of their client, including specific terms that may affect the auditing or reporting of the IRO.
The OIG will not endorse a particular IRO, but, if the provider’s choice of IRO is unacceptable, most CIAs include language that gives the OIG the opportunity to notify a provider within 30 days of written notice identifying the IRO. If the OIG has concerns regarding the quality of the review, qualifications, or independence of the IRO during the term of the CIA, it will make the concerns known and may request the agreement with the IRO be terminated and another IRO be retained.
In November 2001, Inspector General Janet Rehnquist issued an Open Letter to Healthcare Providers announcing modifications to OIG policies as a response to concerns regarding the civil settlement process. It also stated circumstances that the OIG would consider relative to a CIA:
This letter introduced the concept of the Certificate of Compliance Agreement (CCA). These CCAs require the provider to certify that it will continue to operate its existing compliance programs and to report to OIG for a period, usually three years.
Last reviewed on Feb. 26, 2024, by the AAPC Thought Leadership Team